Posted
by
timothyon Friday July 17, 2009 @05:00AM
from the village-green-preservation-society dept.

bfire writes "Police officers in the Australian state of Queensland plan to conduct a 'wardriving' mission around select towns in an effort to educate citizens to secure their wireless networks. When unsecured networks are found, the Police will pay a friendly visit to the household or small business, informing them of the risks they are exposing themselves to. Officers also hope to return to surveyed areas within a month to see if users have fixed their security settings. The idea is modeled on another campaign where officers walk around railway stations checking cars have been locked, and leaving notes warning people of the dangers involved with leaving their vehicles unsecured."

Well, the police also lock the cars as well as putting notes on them...

A friend of mine got hit by this, he had an old car which used 2 keys - one to open the door, and one to start the engine... He had lost the door key, but still had the engine one, so he simply left the car unlocked. Being an old, rusty and totally worthless looking vehicle it never got stolen, and he never left anything in it worth stealing either. It wasn't a problem until the cops came along and locked him out of it.

You just plain shouldn't be hanging out in a parking lot where you don't have a car in most cases. And you DEFINITELY shouldn't be taking an inventory of what's in which car. That is, plain and simple, preparation to steal from the vehicles. Not to steal the cars, just their contents.

So now looking at things is preparation to steal them? Is looking a woman preparation to rape her? What about slowing down and looking twice? Perhaps you need a burka for your car.

Being an old, rusty and totally worthless looking vehicle it never got stolen, and he never left anything in it worth stealing either. It wasn't a problem until the cops came along and locked him out of it.

And because in one unlikely, rare event the thing doesn't work out, that means?

Everything has its downsides. Heck, feeding starving children in Africa probably creates a few fatalities (overeating, getting sick, or being killed when the sack of rice falls on you, whatever). It's just that the net effect is positive.(*)

(*) let's not discuss the Africa example, I know that in some cases it's not positive, local economy and all that.

Well, the police also lock the cars as well as putting notes on them...

How exactly? My car can only be locked with both doors already closed. This is a safety to make it impossible for you to be locked out. So if you wanna lock it without keys from outside, you need one window down (which they wouldn't be able to as the electric motors require the ignition to be on).

Plus I don't want anyone fiddling with my car, good intentions or otherwise. Still an invasion of my property.

Have you tried locking your doors from the inside and when you close the driver's side door make sure you hold the door handle up as you shut it. This is what some auto makers implemented as a way to keep you from locking yourself out before keyless entry was near standard equipment. Having to physically have the door handle open is a last reminder to make sure keys are in hand.

I used to have a LeBaron convertible. When I first got it, I used to always lock it. One day, I discovered that criminals will happily cut into a top to unlock a door. Nothing inside the car was worth more than my deductible (plus the hassle of actually getting the top replaced), so I stopped locking it entirely. Thankfully, no pigs ever bothered to lock it for me.

On the other hand, the criminals still sometimes assumed it was locked and broke a window once to break into my unlocked car.

What's to keep me from dressing up like a cop and wander the area a few days after the real cops informed the people there that I'd come and be friendly to them? I guess not a single person will check whether I'm really a cop, they will not wonder why I want to use their computer "to make them secure"...

Hell, I don't even need a uniform for that. Make it a t-shirt saying "federal security" with a matching baseball cap (akin to that spiffy FBI gear), I won't even break a law if I manage to weasel word around

They will say that by doing it deliberately you are aware of and accept the risks and responsibility of unknown third parties using your network to do illegal things... So if someone decides to download a bunch of kiddie porn through your open wifi, the cops will come straight back and arrest you for it.

Yeah but any good security+ certified IT professional knows that even a locked down wireless network is never completely secured. Like a car there are ways around a wireless security. I used to go out with a team and would crack networks of clients to see if they were updating and standardizing their encryption keys. It was rare that we cracked them but the fact that we did shows that even a secure network is never too secure. And there are always new vulnerabilities. So even if they warn you that is

The problem with what you are saying is you are thinking like an IT guy, that is to say you are logically walking through the steps from point A to Z. Not your fault really, it is pretty much the way most of us do it.

The problem with using logic is that Child Porn has become the new red scare and sadly logic often don't have shit to do with whether you will be spending years in PMITA prison or not. See McMartin preschool [wikipedia.org] and Little Rascals Daycare [religioustolerance.org] for examples.

Now see, if they had actually used logic they would have said something like "Chuck Norris killing elephants in dungeons? WTF?" but instead they bulldozed the place to the ground actually looking for the fricking dungeon! So sadly until we get rid of scaremongers like Nancy Grace and start actually using logic in the courtrooms again you would have to be batshit crazy to have an open Wifi. Because your logic doesn't really help you when everyone is treating you like a monster, the state has confiscated all your possessions and leaves you to rot in some cell.

Sad that we have fallen this far down the rabbit hole, especially when the vast majority of sexual abuse cases involves a family member or family friend and not some Internet bogeyman, but you simply can't deny reality. If the cops kick down your door and scream "Child molester!" while pointing at you nowadays you are guilty, and whether you can prove your innocence later it will often still cost you years of your life, your friends, maybe even your family. It just isn't worth it.

Most IT pros know this, but in most countries, an illegal act coming from an IP is evidence enough to convict (in a criminal) or find the IP's owner at that time culpable for wrong doing (in a civil matter). There has yet to be a single precedent in the US and europe to disassociate an IP with a physical person. For all intents and purposes, someone acting from x.x.x.x is acting as Joe Schmoe.

Open wireless: The owner gets held liable for criminal negligence, or as a accessory.

This sounds very strange. I'm going to refrain from throwing out obvious car analogies, but how can you be convicted for crimes someone else committed? Does this apply to all parts of the carrier chain? Your ISP? The phone company whose physical lines the ISP is using? The state owning the ground those lines are in?

If you are the only one acting as an INDIVIDUAL in the chain, you will come off worst. Want to trade kiddy porn? Form a publicly traded company as a front, then any criminal downloading can be investigated 'in-house' with the details hidden for reasons of commercial confidentiality etc.

Agreed. I like being able to check my email from my laptop around the city -- sitting outside at the park or at a cafe that doesn't offer wifi -- and I like to return the favor. Leaving wifi open (within reason) is just being a good neighbor.

I also like the idea of police officers visiting every home and place of business, more as a social visit and to establish better ties between the police and civilians. You know, get to know 'your' local police officer and, establish a more social contact with at least one officer whom you can contact in the event of need. Also it would help to remind officers of what their role really is in assisting the public to maintain a civil and orderly society.

Of course while it might work in Australia, in the US with pepper spray and taser abuse out of control and with 'public' discussions of the effectiveness, legality and use of torture it would likely have the opposite affect and drive an even greater wedge between 'law enforcement' and the public.

In Belgium when you move, the local cop will make a visit when you moved. This is to see if you live where you say you live. This can go from just knocking on your door and say hello to actually walk around and see if you live there, not just rent the place as a fake address.

A friend of mine had a nice chat and some coffee with the guy.

For me it took some three months and he really looked if I lived there, because each time he could I worked or was in another country and when I could he was not available. So he might have thought I was just renting the place with nothing in it, so e.g. debt collectors can not take away my stuff, while in reality I was living in a mansion.

In another town, my local cop was somebody who I often shared a beer with. And when I had a ticket, I just gave him the money and he would do the rest. He then would put the proof of payment in my mailbox. That way I did not need to go to the post office and buy the stamps. The system is now changed and I can pay directly via my bank.

In those days, the local cops would get the first beer free in the pub and payed for everything after that. I liked it, because I knew they knew what was going on in their neighborhood and so what if they where sometimes drunk. It showed the rest they were people as well and made the distance much smaller.

But then in Belgium drinking is not something that is frowned upon and the result is that we have the world largest brewery company.

I really wish police officers would act as part the community, interacting with us, instead of acting as a separate society, above and over us.

The last time I approached a police officer in public, we ended up discussing his laptop and the car's electronics for a few minutes. Trust me, I've been hassled by the cops for innocent behavior before, and I'm no cop-lover. But to assume that they're all mega-assholes is just dumb. What they are is deluded into thinking that they can make (on balance) a positive difference by taking a job which basically forces them to be a bully.

I'm not saying that we should make all the cops go away right now, but consi

Seems like some kind of pseudo threat to me. What are they implying, that if some criminal uses their open access port to post goat porn to/b/ the home owner is going to be criminally liable? What if you _like_ having an open access port, and don't mind if your elderly neighbors use it occasionally to check their email? Quite frankly it doesn't seem to be the homeowner's job to lock the world down in order to prevent crime, especially crime that can be remedied by pulling a plug, if it ever actually causes the homeowner to lose bandwidth. Come to think about it, it's not the cops job to prevent crime either.

So, who exactly is this benefiting? My guess would be whoever provides ISP service has been hitting up their political puppets... after all, your 60 year old neighbor should get with the times and start paying $100 a month for internet access like all the other good citizens.

If you know your neighbors, you can quite easily give them the key to access your wireless...Your 60 year old neighbor isn't going to abuse it, your 16yr old neighbor isn't either because you know them and any illegal activity will easily be traced back to them... The evil kiddie fiddler who parks his van round the corner and sits in the back downloading kiddie porn through your connection doesn't know you, and you don't know him, so when the police turn up asking why your connection has been used to downlo

Seems like some kind of pseudo threat to me. What are they implying, that if some criminal uses their open access port to post goat porn to/b/ the home owner is going to be criminally liable?

It is not a threat. It is a fact. If your WLAN is left open and someone commits crimes through it, you could be really screwed. In most cases it would probably not be enough to prove that you did the crime and get you a sentence in court but it could still land you a lot of trouble. And it could be used maliciously: Let's say that a co-worker that likes neither you or your boss comes to use your WLAN to harass your boss?

There are risks in having an open WLAN. Some of them have something to do with you becoming suspected of crime, some are about how other people can commit crimes against you. It can be argued if the police is the best organization to educate about this or not but police certainly can do it and it is important thing to do.

What if you _like_ having an open access port, and don't mind if your elderly neighbors use it occasionally to check their email?

Then they say "Okay." and go to the next apartment. This isn't about them coming to force you protect your WLAN, it is about educating that "Hey, your WLAN is open. Are you aware of the risks?" Because honestly, there are a lot of WLANs that are open because their owner has forgotten to protect them, doesn't know how to do it or doesn't even know that it should be done. I would guess that these even outnumber those who leave it open intentionally.

Quite frankly it doesn't seem to be the homeowner's job to lock the world down in order to prevent crime,

Same can be said about locking your apartment's door. It isn't a homeowners job, right?

especially crime that can be remedied by pulling a plug, if it ever actually causes the homeowner to lose bandwidth.

In some cases the crime can cause a lot more. Perhaps the cops should visit you?

Come to think about it, it's not the cops job to prevent crime either.

Wait, what? Police is supposed to execute the laws which tell what people shouldn't do. It certainly isn't limited to investigating the wrongs that people have already done.

Come to think about it, it's not the cops job to prevent crime either.

Wait, what? Police is supposed to execute the laws which tell what people shouldn't do. It certainly isn't limited to investigating the wrongs that people have already done.

In the US, this is strangely true.

See Jessica Gonzalez vs. The United States (http://www.aclu.org/womensrights/violence/gonzalesvusa.html), as a good example of this.

Try suing the police for failing to show up when you call 911. This is one of the hotbutton issues for the gun lobby -- if the police have no legal obligation to actually protect you, then you need the means to do it yourself.

Sometimes, they're just the result of some actual cop doing some actual thinking and coming up with the idea that driving around and warning people that their car is unlocked or their WLAN open may cost X, while the police actions resulting from these problems will cost Y, and X prevent crime instead of always going after the culprits after something bad has already happened. It's not a very pleasing job, that.

Unless Australia has far less problems with usual crime than other "modern" and "civilized" countries, I would suggest the prevention and investigation of actual crimes to be a far better way to spend taxpayer money.

Unsecured Wireless networks though? Not the general taxpayers problem.

One of my internships involved installing free and open wireless access points around my university's small town. I always wondered if another student would be taking them all down in the future. Some things are just too good to be true. Although, I hear some homeless are making use of free access points in their own cities. Why would anyone want to take that away? I'm all for free internet, and enjoyed the internship, but something tells it's just not going to last.

They usually sit down in a cafe or something and plug in at a wall outlet. Usually they'll buy something small so they don't get kicked out. And since I know someone will come along and say, "how do they even get a laptop!?" you can pick them up pretty damn cheap at yardsales now a days if they're really old (like a giant toshiba gray brick) or a pawn shop. It's kind of hard to be without Internet now a days, even if you're homeless, especially if you're trying to find work. Try walking around the mall some

...and leaving notes warning people of the dangers involved with leaving their vehicles unsecured.

What? People don't know this in Australia? I mean if it came to become a campaign the problem must have been of significant magnitude. I'm not trying to flamebait here but back to my question: people don't know this in Australia?

But this is not about any belongings. This is about rather important belongings, such as your car or your house. When you leave either unsupervised you make sure they're locked. In my experience people aren't even aware of it when they do it, it's more like a reflex to reach for your keys and lock the door when you leave the house or the car. Perhaps it's a mentality thing, I don't know. But I'm still surprised that such common sense isn't for granted. I mean I'm not talking about isolated cases, of course

Most people don't know about it and don't even think about it. First of all they're happy that their WiFi works so fine for them, without hassle. That it works just as well for others doesn't even cross their mind.

Security is an alien concept to them. When I pointed out the problem that someone could use their AP I got a bewildered look and the question "now why would anyone do that? They have their own wireless, why use mine?"

No I can understand the WiFi problem. It's a rather new concept for most people and they haven't really been taught the consequences. But Benz invented the modern automobile in 1885. You'd think (or rather I'd think) that people should have learned by now.

It must be known to the world that 1) not broadcasting your SSID and 2) restricting MAC addresses both do NOTHING for security. Best to leave your SSID broadcast, not restrict MAC addresses, and actually implement REAL security: WPA2 with a strong key.

[ knock, knock ]-Do you have the WLAN with the SSID MonkeyTails?-The what, Sir?-Wireless Network?-Oh, for the computer Internet? No, I think ours is called captaincrook.-Okay, that one is safe.-Safe?-Yeah, we are driving around checking for insecure WLANs. Do you know who MonkeyTails are?-I think it's my neighbour.-Ok, thank you.[ knock, knock ]- Hello.- Hello, are you the owner of the WLAN MonkeyTails?- Yes?- It's insecure.- I know.- Well, you should secure it.- No, I don't want to secure it.- You should secure it or pedophiles could use it.- It is an old router that doesn't support encryption.- Well, let us know if you see any pedophiles.- Bye.

So when a kid demonstrates he can access his school's network or a customer demonstrates that he can get free calls from a phone system, they will be thrown out of school for 'hacking' or arrested for 'theft of service'. But when the police do it, it's fine?

It seems that two of the largest organisations hating the sharing of WiFi access are the police, who don't like the fact that unofficial open access points don't log and the ISPs who hate to think that they are losing a potential customer.

Some years back in London, a chain of winebars (C&B) offered free access for their customers with no fancy tumbling time code or anything (you, know where they print a code that has a limited validity on the till receipt).. A story appeared in one of the papers about how people were able to 'steal WiFi access' showing the 'security consultant' with a laptop in the city of London demonstrating that there was open WiFi. Yep, because they are standing directly outside that Winebar (out of shot). I have stood there myself, as the bar was too noisy, so I could use Skype over WiFi to contact my SO. This is fairly common practice now, but it disrupts the business models of people like Vodafone or commercial WiFi providers.

Don't you know that the evil predators can actually ABDUCT INNOCENT CHILDREN THROUGH UNSECURED WIRELESS? Every time the police shut down an unsecured access point they're literally preventing billions of rapes and murders. The only people who could possibly be against this idea are probably the predators who make torture porn of little girls. God bless these valiant crime fighters who are making the world safe one W.A.P. at a time.

It was supposed to be funny, an example of the typical paranoid over-reaction of people to things done in the name of child safety (which seems to be the big boogieman that people are worried about concerning unsecured WAPs... Evil evil cp.)

I'm certainly not a believer in the "if it saves one child" mentality, especially in a situation like this where rational people realize that this isn't doing anything to protect anyone at all, certainly not children. By that kind of logic all sorts of evil, stupi

And you know it's funny, because an open WiFi router does not mean you are allowing open access to your network, at all. The "risks", it seems, are really that you are more likely to get visited by the police...

I understand why the Police are doing this, and I think it is a good move. Yes, I am an Australian, and a QLD'er.

This will let people know who truly do not, and can prevent crimes such as identity theft, downloading illegal stuff etc.

For the record, operating an insecure wifi AP is not illegal, this is just a helpful initiative.

The thing is, it is 2009. For the last 5 years at least, most AP's have security enabled by default, or at least as a mandatory step of the setup.

At the very least, there will be a warning that will be hard to miss.

For the last 5 years or so, information on this has been forthcoming to people who are not overly technical via:

* TV shows, non technical like 60 minutes or a talk show
* Magazines, including many of which are non tech magazines
* Various websites, including many non tech websites, such as MSN
* Your operating system, such as Windows, OS X or Ubuntu giving you warnings
* User guides or manuals in very, very, simple to understand language
* Warning stickers on the box or device
* Probably quite a few other avenues as well

There is very little reason to not be aware of the risks of running an insecure network. All too often it is a case of stupidity, as people do this for the sake of convenience. Nothing is going to change these peoples minds.

For the record, operating an insecure wifi AP is not illegal, this is just a helpful initiative.

I agree, but are the cops just following a script? An access point with no WPA isn't necessarily insecure from intruders - it could have a captive portal or something behind it (it is insecure from sniffers but that's a problem that shouldn't be solved at the wireless level anyway).

If the police in the state where I live try this, will I get a knock on my door and have to explain to them that my network is secure

Does the police specified that people should use WAP and Strong passwords, if they really wanted to protect their networks.

I've moved to a new apartment 3 months ago. My building is in a very dense populated area. Due to bureaucrat issues, I was over one month without an internet connection. Since I had over 25 available wireless networks on my house I gave the http://www.aircrack-ng.org/doku.php?id=tutorial [aircrack-ng.org] aircrack online tutorials a shot. It was amazing how easy it is to crack a WEP connection. On average I took less than 10 minutes to crack a WEP wireless. Over 40% of people(at least around here), still use this totally insecure encryption method.
I've started to get curious about who is Using Wep. So I've made a survey with my laptop, and my phone(it has wireless), to see who is using Wep. I have a HP shop on the other side of the street, that has a big splash symbol on the window "Microsoft Certified". They have IT consultants and they are using WEP. What a joke.
My local Social Security Center is using WEP possibily exposing the entire contry database(it's just a guess. I didn't really crack it). Also WAP is not difficult to crack with weak passwords, and most of the people don't have a clue about strong passwords.
I currently have my network open, only closing when I need full bandwidth, and my SSID is something like WEP_IS_LIKE_OPEN, but in my language.
I guess worst than having an open network is to wrongly think you are secure.

I've moved to a new apartment 3 months ago. My building is in a very dense populated area. Due to bureaucrat issues, I was over one month without an internet connection. Since I had over 25 available wireless networks on my house I gave the http://www.aircrack-ng.org/doku.php?id=tutorial [aircrack-ng.org] aircrack online tutorials a shot. It was amazing how easy it is to crack a WEP connection. On average I took less than 10 minutes to crack a WEP wireless. Over 40% of people(at least around here), still use this totally insecure encryption method.

Yep, I use WEP. I still own devices that won't do anything newer. I don't really see the insecurity as a big deal - an open AP is an advertisement that you don't mind random people using it, an AP with some kind of security (even if it's weak) tells people it isn't for public use. If you choose to break the WEP key then you're choosing to break the law.

I live in a neighbourhood where there are at least 2 other networks within range that are totally open, so I suspect people won't care about mine, but more importantly all my machines are secure and the traffic between internal machines on the network is encrypted, so it isn't really that big a deal if someone breaks into it.

If I had an access point that could reliably do virtual SSIDs (sadly the WRT54GL won't - it can do virtual SSIDs but they have to share the same address which confuses too many clients), I would likely set up a separate open network that used a transparent proxy to do logging so that anyone could use it.

I have a HP shop on the other side of the street, that has a big splash symbol on the window "Microsoft Certified". They have IT consultants and they are using WEP. What a joke.

Not really - they may require a WEP network in order to connect older devices that have no WPA/WPA2 support. Unless you've broken the law and actually cracked the key and investigated further then you have no idea what underlying security they have beneath the WEP - they might only allow ESP+AH traffic, in which case there is absolutely no security problem at all.

Also WAP is not difficult to crack with weak passwords, and most of the people don't have a clue about strong passwords.

Guess what - most people have door locks that are trivial to pick if you have the right knowledge and tools. There is only so much you can do to stop criminals. I'm sure you don't upgrade all your door locks to the latest greatest high security ones every time someone works out how to pick them, why should you expect people to replace all their wireless kit every time a compromise is found?

"If I had an access point that could reliably do virtual SSIDs... I would likely set up a separate open network that used a transparent proxy to do logging so that anyone could use it."

That is an INCREDIBLY BAD IDEA. Do NOT log anything - for 2 reasons:

1) There is the possibility of logging information that could be considered "private" - in the (admittedly unlikely) event that somebody caught wind of it, you might find yourself on the receiving end of a civil suit and/or a criminal charge. The fact such a charge would likely be found unwarranted in no way mitigates the expense and hassle of dealing with it.

2) Should the police trace something to your connection, they WILL subpoena those logs. If and when they don't find what they are looking for, they will assert you have what they want and didn't surrender it, and they will tear your place apart looking for it. If you keep the logs for $TIMEPERIOD, and the event happened at $TIMEPERIOD+$POSITIVEDELTA ago, they will STILL want the logs - and the statement "I deleted them" will be portrayed at "COLLABORATION with TERRORISTS and PAEDOPHILES!" (again, it doesn't matter if they ultimately succeed in that, the cost of defending against it will be staggering).

Ultimately, the rule to follow is "Record NOTHING you don't want to see on the 6 o'clock news, or have used against you in a court of law."

My friend is using WEP knowing the danger fully.He switched from WPA. Left WEP to signify "this is not an open network. You are not free to use it".

He has a phone with Windows Mobile and Skype. He uses VOIP when at home. Except the CPU of the mobile can handle realtime VOIP or WPA encryption, but not both. Simply not enough power for WPA. It works just fine with WEP though.

Last time I checked the Nintendo DS could talk wireless, but only WEP. So there are likely a few places around with WEP instead of WPA for that reason (although I'm not sure what you'd actually do with a DS if you got it online...)

I think it's a good campaign. After all, how much money and time do you think it takes to cover a neighborhood? A couple of officers could probably do this in a few days.
Nobody said it's illegal and they are not constraining anyone to "secure" their AP. It's just like a patrol passes by and they see you are in some kind of trouble. It's their job to stop and ask if you need any assistance. If somebody wants to keep their wireless open, it will probably cost them a couple of minutes to talk to the police an

We locked up a corrupt politician from the same party as the Government up for seven years today in Queensland. Can you imagine that happening in the land of Scooter and Chaney? Having "not much going on" requires a bit of effort and everyone bothering to get off their arse to vote and scaring leaders into honesty.

Back to WiFi, one funny thing is a large number of access points have names along the lines of "f* off" and at least have some attempt at security (can't tell if they are WEP or not from just l